traffic scanning?

[Urza9814]

For several days now, I've been getting a bunch of traffic to my network being blocked by my router as DoS attacks. I know there's one Comcast IP, one Verizon, two or three from various South American countries, and a few others I never bothered to look into. When I shut down all my computers it still comes, and even after unplugging my modem for over an hour to drop the connection, it's still coming through nearly constantly. Anyways, I was kinda wondering if there's any way, before contacting my ISP, that I could look at this stuff a little closer and maybe figure out what the hell it is? It started out as only one IP, the Comcast one, and I sent an email to the Comcast abuse line...and I guess that helped because I'm not seeing much from it anymore...but now I'm getting slammed by 6 or 7 different IPs.

Edited November 12, 2006 by Urza9814

[ianw1974]

If you know what IP's are coming in, you must be looking in the right place already. I'd be looking at finding where the ip is located in terms of ISP using the ripe database and then reporting to their abuse address, like you did with comcast.

 

Then it should help at least. If you still find they are coming through, you need to speak to your own ISP and find out what they can do to help. Email their abuse address.

[Urza9814]

Well, I pulled the IPs from my router logs, and that's all it tells me. I was kinda wondering if I could figure out a bit more about what they are, 'cause the IPs themselves don't help much there.

 

And actually, I just checked the logs, and the comcast one is back. It's the only one there too.

What really bugs me is my ISP just got bought by comcast, so if an email to the comcast abuse line doesn't help much, a phone call to the support guys probably won't either.

Edited November 12, 2006 by Urza9814

[lorisarvendu]

Well, I pulled the IPs from my router logs, and that's all it tells me. I was kinda wondering if I could figure out a bit more about what they are, 'cause the IPs themselves don't help much there.

 

And actually, I just checked the logs, and the comcast one is back. It's the only one there too.

What really bugs me is my ISP just got bought by comcast, so if an email to the comcast abuse line doesn't help much, a phone call to the support guys probably won't either.

 

Put the IPs in here: http://www.ripe.net/whois

 

That'll tell you who owns them, and should give you mail contacts for abuse.

[tyme]

If you have a box you aren't concerned about, see if you can't redirect the traffic to that box and then set up ethereal (or whatever it's called now) to catch the packets. Might help you figure out what they're trying to do.

 

Otherwise, just contact your ISP. They may not be able to do anything to the culprits, but they can at least block the traffic from reaching you - so it doesn't eat into your bandwidth.

[ianw1974]

then set up ethereal (or whatever it's called now)

 

Wireshark. Confused me when I tried to do:

 

urpmi ethereal

 

and found it didn't exist. However with the IP, ripe is the place to start. Just sending an abuse ip address isn't helpful. Using the ripe database to send more info, is much much better, and even better if you can tell them what they are trying to access, which the logs should show.